VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-pnk6-vjcp-u7aa

Essentials
Severities (27)
References (11)
Severity details (25)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-pnk6-vjcp-u7aa
Aliases	CVE-2023-38489 GHSA-5mvj-rvp8-rf45
Summary	Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts (unless Kirby's API and Panel are disabled in the config). It can only be abused if a Kirby user is logged in on a device or browser that is shared with potentially untrusted users or if an attacker already maliciously used a previous password to log in to a Kirby site as the affected user. Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization. In the variation described in this advisory, it allows attackers to stay logged in to a Kirby site on another device even if the logged in user has since changed their password. Kirby does not invalidate user sessions that were created with a password that was since changed by the user or by a site admin. If a user changed their password to lock out an attacker who was already in possession of the previous password or of a login session on another device or browser, the attacker would not be reliably prevented from accessing the Kirby site as the affected user. The problem has been patched in Kirby 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6. In all of the mentioned releases, the maintainers have updated the authentication implementation to keep track of the hashed password in each active session. If the password changed since the login, the session is invalidated. To enforce this fix even if the vulnerability was previously abused, all users are logged out from the Kirby site after updating to one of the patched releases.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-613	Insufficient Session Expiration
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00207	https://api.first.org/data/v1/epss?cve=CVE-2023-38489
epss	0.00207	https://api.first.org/data/v1/epss?cve=CVE-2023-38489
cvssv3.1	7.3	https://github.com/getkirby/kirby
generic_textual	HIGH	https://github.com/getkirby/kirby
cvssv3.1	7.3	https://github.com/getkirby/kirby/commit/7a0a2014c69fdb925ea02f30e7793bb50115e931
generic_textual	HIGH	https://github.com/getkirby/kirby/commit/7a0a2014c69fdb925ea02f30e7793bb50115e931
ssvc	Track	https://github.com/getkirby/kirby/commit/7a0a2014c69fdb925ea02f30e7793bb50115e931
cvssv3.1	7.3	https://github.com/getkirby/kirby/releases/tag/3.5.8.3
generic_textual	HIGH	https://github.com/getkirby/kirby/releases/tag/3.5.8.3
ssvc	Track	https://github.com/getkirby/kirby/releases/tag/3.5.8.3
cvssv3.1	7.3	https://github.com/getkirby/kirby/releases/tag/3.6.6.3
generic_textual	HIGH	https://github.com/getkirby/kirby/releases/tag/3.6.6.3
ssvc	Track	https://github.com/getkirby/kirby/releases/tag/3.6.6.3
cvssv3.1	7.3	https://github.com/getkirby/kirby/releases/tag/3.7.5.2
generic_textual	HIGH	https://github.com/getkirby/kirby/releases/tag/3.7.5.2
ssvc	Track	https://github.com/getkirby/kirby/releases/tag/3.7.5.2
cvssv3.1	7.3	https://github.com/getkirby/kirby/releases/tag/3.8.4.1
generic_textual	HIGH	https://github.com/getkirby/kirby/releases/tag/3.8.4.1
ssvc	Track	https://github.com/getkirby/kirby/releases/tag/3.8.4.1
cvssv3.1	7.3	https://github.com/getkirby/kirby/releases/tag/3.9.6
generic_textual	HIGH	https://github.com/getkirby/kirby/releases/tag/3.9.6
ssvc	Track	https://github.com/getkirby/kirby/releases/tag/3.9.6
cvssv3.1	7.3	https://github.com/getkirby/kirby/security/advisories/GHSA-5mvj-rvp8-rf45
generic_textual	HIGH	https://github.com/getkirby/kirby/security/advisories/GHSA-5mvj-rvp8-rf45
ssvc	Track	https://github.com/getkirby/kirby/security/advisories/GHSA-5mvj-rvp8-rf45
cvssv3.1	7.3	https://nvd.nist.gov/vuln/detail/CVE-2023-38489
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2023-38489

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2023-38489
		https://github.com/getkirby/kirby
		https://github.com/getkirby/kirby/commit/7a0a2014c69fdb925ea02f30e7793bb50115e931
		https://github.com/getkirby/kirby/releases/tag/3.5.8.3
		https://github.com/getkirby/kirby/releases/tag/3.6.6.3
		https://github.com/getkirby/kirby/releases/tag/3.7.5.2
		https://github.com/getkirby/kirby/releases/tag/3.8.4.1
		https://github.com/getkirby/kirby/releases/tag/3.9.6
CVE-2023-38489		https://nvd.nist.gov/vuln/detail/CVE-2023-38489
GHSA-5mvj-rvp8-rf45		https://github.com/advisories/GHSA-5mvj-rvp8-rf45
GHSA-5mvj-rvp8-rf45		https://github.com/getkirby/kirby/security/advisories/GHSA-5mvj-rvp8-rf45

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/getkirby/kirby

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/getkirby/kirby/commit/7a0a2014c69fdb925ea02f30e7793bb50115e931

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-23T13:28:36Z/ Found at https://github.com/getkirby/kirby/commit/7a0a2014c69fdb925ea02f30e7793bb50115e931

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/getkirby/kirby/releases/tag/3.5.8.3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-23T13:28:36Z/ Found at https://github.com/getkirby/kirby/releases/tag/3.5.8.3

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/getkirby/kirby/releases/tag/3.6.6.3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-23T13:28:36Z/ Found at https://github.com/getkirby/kirby/releases/tag/3.6.6.3

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/getkirby/kirby/releases/tag/3.7.5.2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-23T13:28:36Z/ Found at https://github.com/getkirby/kirby/releases/tag/3.7.5.2

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/getkirby/kirby/releases/tag/3.8.4.1

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-23T13:28:36Z/ Found at https://github.com/getkirby/kirby/releases/tag/3.8.4.1

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/getkirby/kirby/releases/tag/3.9.6

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-23T13:28:36Z/ Found at https://github.com/getkirby/kirby/releases/tag/3.9.6

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/getkirby/kirby/security/advisories/GHSA-5mvj-rvp8-rf45

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-10-23T13:28:36Z/ Found at https://github.com/getkirby/kirby/security/advisories/GHSA-5mvj-rvp8-rf45

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-38489

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.4315
EPSS Score	0.00207
Published At	June 5, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-02T04:45:28.192046+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/getkirby/cms/CVE-2023-38489.yml	38.6.0